Forum Moderators: open
When viewing the source html on the actual webserver the malicious line of code is definitely, 100% not present.
We have done a full server re-install (which was pretty painful) and hoped this would sort it (we found a rootkit on the system which is now not there. -basically we started from scratch.
But this external js call is still appearing. I really dont know how to stop it from getting there (I have used AV software and adaware oin the client and it still comes up), so I am wondering, is there some javascript that I can embed in my pages that will prevent any other external javascript calls from being executed? At least this bodge will stop it from doing harm as a short term measure.
Any help would be extremely appreciated.
Many thanks
1) Have js in <head> that looks for a pattern matching something resembling <script src="blah....>, if it finds it change the src attribute to "dummy.js" which would just be empty so as to get no browser errors.
2) Similar to above but if it finds a <script> tag put html comments around it, eg <!-- <script.... -->
Possible?
You said that you started from scratch. I'm assuming that means you formatted the hard-drive and reinstalled the OS, then copied the web site files back to the server. If you did something else, please elaborate.
If you did do that, then check for any files pertaining to the site configuration.
You didn't state what web server you are using, but it sounds like its probably Apache or some Linux based server. I don't know the name of the file, but I am pretty sure there is specific file name that is used for inserting a standard footer. (it may be the htaccess file, someone else can pipe in here)
Thanks for chipping in.
I would dearly love to find the actual source, just cant track it down.
John, regarding "starting from scratch" we actually had a new hard drive put in. The website folder on the old machine was scanned for viruses (it was clean) and put back up. The os linux suse
I've checked .htaccess and cant see anything.
Steve, these results are now happening on 4 machines we have tested, 2 are on the same lan. I am sure their is a client side element, but how does it get onto the client and why, when its only the cient would it only affect sites on that server (1 IP address)? It sounds as if the server somehow puts the code in on the fly, when viewed in a browser this then attempts to download a virus (Bloodhound.Exploit.6) amongst others.
I must admit, I am totally bamboozled!
I dont know if its is every machine, but our webhosst downloaded a page and got the exploit.. blocked by the AV.
Could you show me the code for doing a get on command line?
Site in profile is infected.
One other thing I should add is that its intermitent, even on machines that have the problem it doesn't happen every time.
Cheers
You might want to do it this way so you can page through the file at your leisure:
GET [example.com...]
thanks for that, I'll try it.
Nah its not the stats stuff, thats been there for donkeys years - its only there because the global search and replace didnt pick that line up.
The problem is on other newer sites that dont have that stats script on it.
Thanks
I tried thinking of some js to do it eg window.stop() and document.execCommand("Stop"); but they didnt work so I changed my plan. I have set it up so that the js will now be enclosed in an iframe, that seems to stop it from executing.
Just wish I could get to the root of the problem now.
